From owner-freebsd-questions@FreeBSD.ORG Sun Apr 2 20:58:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2002B16A42A for ; Sun, 2 Apr 2006 20:58:05 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBBA743D5E for ; Sun, 2 Apr 2006 20:58:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 460A25C8A; Sun, 2 Apr 2006 16:58:00 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63804-09; Sun, 2 Apr 2006 16:57:59 -0400 (EDT) Received: from [192.168.1.3] (pool-68-160-194-11.ny325.east.verizon.net [68.160.194.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id E606F5C1F; Sun, 2 Apr 2006 16:57:58 -0400 (EDT) Message-ID: <44303AE1.4040404@mac.com> Date: Sun, 02 Apr 2006 16:58:09 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: nospam@mgedv.net References: <000e01c65685$1193dd20$0a86a8c0@avalon.lan> In-Reply-To: <000e01c65685$1193dd20$0a86a8c0@avalon.lan> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: hunting for secure fileserver-connection! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Apr 2006 20:58:05 -0000 No@SPAM@mgEDV.net wrote: > the scenario: > - freebsd-fileserver with encrypted HDD's (GELI) (1.5TB) > - windows (sorry for that, it's a requirement) as client > > the quest: > - securely mount shared filesystems from the server from > the windows client w/o being open to sniffers/network > hacks (non-weak encryption required) > - files should be accessible like with windows-fileserver > shares through UNC and/or drive-name(s) > - server and clients should share the same network. (no > tunnelling etc...) > - authentication should be done against local defined users > > what we don't want: > - VPN/IPSEC/... between the hosts > - webdav > > we've been looking on solutions like secure nfs over tcp, > samba, etc... but except making it slower, there have been > no real good solutions until yet. > > anybody out there, who has a good advice on that? If you don't trust CIFS/Samba enough to be secure against local sniffers, and you won't run IPsec, you're left with odd things like Sun's SecureNFS software, only I doubt that's available for a FreeBSD fileserver. If you've got 1.5TB of storage, perhaps you should talk to Auspex or NetApp and see what the NAS folk have to offer... -- -Chuck